Phase randomization improves the security of quantum key distribution 
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Ideal quantum key distribution (QKD) protocols call for a source that emits single photon signals, 
but the sources used in typical practical realizations emit weak coherent states instead. A weak 
coherent state may contain more than one photon, which poses a potential security risk. QKD 
with weak coherent state signals has nevertheless been proven to be secure, but only under the 
assumption that the phase of each signal is random (and completely unknown to the adversary). 
Since this assumption need not be fully justified in practice, it is important to know whether phase 
randomization is really a requirement for security rather than a convenient technical assumption 
that makes the security proof easier. Here, we exhibit an explicit attack in which the eavesdropper 
exploits knowledge of the phase of the signals, and show that this attack allows the eavesdropper 
to learn every key bit in a parameter regime where a protocol using phase-randomized signals is 
provably secure. Thus we demonstrate that phase randomization really does enhance the security of 
QKD using weak coherent states. This result highlights the importance of a careful characterization 
of the source for proofs of the security of quantum key distribution. 

PACS numbers: 03.67.Dd 
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In quantum key distribution [1] , two parties (Alice and 
Bob) use quantum signals to establish a shared key that 
can be used to encrypt and decrypt classical messages. 
An eavesdropper (Eve) who collects information about 
the key by interacting with the signals produces a de- 
tectable disturbance; therefore Alice and Bob can detect 
the eavesdropper's activity, and they can reject the key 
if they fear that the eavesdropper knows too much about 
it. But if the detected disturbance is weak enough, then 
Alice and Bob can use classical error correction and pri- 
vacy amplification protocols to extract a shared key that 
is very nearly uniformly distributed and almost certainly 
private [2-5] . The security of the QKD protocol is said to 
be unconditional, because the security can be proven for 
any attack consistent with the laws of quantum physics, 
and without any assumptions about computational hard- 
ness. 

Experiments have recently demonstrated the feasibil- 
ity of QKD over 150 km telecom fibers [6,7], and at least 
two firms are now marketing commercial QKD systems 
[8]. But how secure are these systems, really? To assess 
the security of practical implementations of QKD, it is 
important to consider how well the actual systems match 
the performance assumed in the security proofs. In par- 
ticular, the signals used in typical practical realizations 
of QKD are dim laser pulses, which occasionally contain 
more than one photon. Multi-photon signals together 
with loss in the optical fiber can threaten security, but 
proofs of security for QKD using weak coherent states 
have been found [9,10]. (We note that for QKD proto- 
cols that use decoy states [11-14], security can be proven 
even for rather strong coherent-state signals. In this pa- 
per, however, we will focus on QKD with weak coherent 
states.) 



A key assumption in the security proofs in [9,10] (and 
also in [12]) is that the phase of the quantum signal is 
uniformly random. A coherent state of one mode of the 
electromagnetic field can be expressed as 
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where \n) denotes the state with photon number n. We 
may write a = ^JJie 10 , where fj, — \a\ 2 denotes the mean 
photon number and e lS is the phase of the coherent state. 
To an eavesdropper with no a priori knowledge of the 
phase, a signal whose phase is selected uniformly at ran- 
dom is indistinguishable from the state 



(10 
2^ 



Err»H, ( 2 ) 



a Poisson distributed mixture of photon number eigen- 
states. Therefore, for a security analysis, we may suppose 
that a source emitting weak coherent state signals is ac- 
tually emitting signals in the state p M . 

With probability po — e~ M , which is close to one for 
small /i, the source emits no photon; exactly one photon 
is emitted with probability pi — fie - ^. The probability 
that two or more photons are emitted is 



PM = 1 



r"(i + ^))<^ 2 



(3) 



Multiphotons can pose a security risk, but if each signal 
has a random phase, pm is sufficiently small, and the loss 
in the channel is not too high, then it is possible to prove 
security against arbitrary eavesdropping attacks [9,10]. 

However, no known security proof applies if the eaves- 
dropper has some a priori knowledge about the phase of 
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the signal states. Conceivably, such phase information 
might be accessible in realistic implementations of QKD. 
For example, in a "plug-and-play" scheme, a strong signal 
is sent from Bob to Alice, who attenuates and modulates 
the signal before returning it to Bob; in unidirectional 
schemes as well, strong ancillary pulses are sometimes 
used to monitor the channel. The phase of a strong pulse 
is accurately measurable in principle, and could be corre- 
lated with the phase of the key-generating pulse. Even if 
strong pulses are not used, the phase coherence of a real- 
istic source might be maintained during the emission of 
many weak signals, allowing the phase to be determined 
accurately. Therefore, it is important to investigate the 
security of QKD under the assumption that the eaves- 
dropper knows something about the phase of the signals. 
Can she exploit this knowledge to improve the effective- 
ness of her attack? 

Our conclusion is that she can. We will compare the se- 
curity of two implementations of the BB84 QKD protocol 
[1], using two different sources. Source R (for random) 
emits phase randomized weak coherent states with mean 
photon number /i. Source P (for phase) emits weak co- 
herent states with the same mean photon number ^t, but 
such that each signal has a definite phase (e.g., e 10 = 1) 
that is known by the eavesdropper. We will show that 
there is a range for the bit error rate <5 observed in the 
protocol (.146 < 8 < .189) such that, for sufficiently 
small (i, BB84 using source R is secure, but BB84 using 
source P is not. Specifically, using source R, key bits 
can be generated at a positive asymptotic rate such that, 
with high probability, the key is exponentially close to 
uniformly random and the eavesdropper's knowledge of 
the key is exponentially small. But if source P is used, 
for the same bit error rate and signal strength, the eaves- 
dropper has perfect knowledge of every key bit. 

Briefly, our argument goes as follows: We will describe 
an intercept/resend attack on BB84 using a measurement 
that we call unambiguous key discrimination. By exploit- 
ing her knowledge of the phase of the signals emitted by 
source P, Eve performs a POVM with three outcomes: 
0, 1, and DK (don't know). The DK outcome is incon- 
clusive, but if either of the other outcomes occurs, then 
Eve knows with certainty the key bit (0 or 1) encoded 
in the BB84 signal emitted by the source, though she 
does not gain any information about which of the two 
possible BB84 states compatible with that key bit was 
emitted. Eve blocks the signals when her outcome is 
DK, but if the outcome is conclusive she sends on to Bob 
a uniform coherent superposition of the two compatible 
BB84 states. This procedure generates a bit error rate 
5 = | — ~ .146. Evidently, Eve has the same key 
information as Alice and Bob, so that, if she also knows 
their protocol for error correction and privacy amplifica- 
tion, she will have perfect knowledge of every bit of the 
final key. On the other hand, if source R is used instead, 
by combining techniques in [10] with the two-way pri- 
vacy amplification protocol in [15], we will show that for 



the same bit error rate, secure key can be extracted at 
a nonzero rate for /i < .0240. Our essential observation 
is that while a fraction 0(n 2 ) of all signals are insecure 
when source R is used, this fraction increases to 0{p) 
when source P is used instead. Thus, QKD using source 
P is intrinsically more vulnerable to eavesdropping. 

In the rest of this paper, we explain our argument in 
more detail. In the ideal (polarization-based) BB84 pro- 
tocol, each signal is a single photon, and the key informa- 
tion is carried by the photon's polarization, a qubit. We 
consider two conjugate orthonormal bases for this qubit: 
the z basis {|0),|1)} and the x basis {|+),|— )}, where 
|±) = (|0) ± |1)) j\pl. The source emits one of these four 
states, chosen equiprobably. For signals sent in the z ba- 
sis, and 1 are the key bits. For signals sent in the x 
basis, + indicates the key bit and — indicates 1. 

If the source actually emits weak coherent states, then 
the BB84 signals become 

|6) =e-^ 2 (|vac)+a|0) + ...) , 

|1) =e-^ 2 (|vac) + a|l) + ...) , 
|+) =e-^ 2 (|vac) +a\+) + ...) , 
|-> = e -^ 2 (|vac)+«|-) + ...) , (4) 

where |vac) denotes the vacuum (no-photon) state, and 
the ellipsis indicates the multiphoton contribution. Let 
us suppose that the phase of each signal is e 10 — 1 , so that 
a = ^fji is real and positive, We assume that a is small, so 
that multiphotons are unlikely. Ignoring the small multi- 
photon component, the signals reside in a qutrit Hilbcrt 
space with basis {[vac), |0), |1)}; expanded in this basis, 
they may be re-expressed as 

|6) =e-^ 2 (l, a, 0) , 
|1) -e^/ 2 (l, 0, a) , 

We note that the four BB84 states span a plane in the 
Bloch sphere that can be chosen arbitrarily; thus we 
could replace the x basis states by the rotated states 
\±) v = (e^|0) ± e- lv \l)) /y/2. In the ideal protocol the 
phase e tv has no significance, but for weak coherent sig- 
nals that are not phase randomized, the effectiveness of 
Eve's attack can depend on e %(f '. In cq. (5) we have cho- 
sen e lip = 1, because this choice minimizes Eve's ability 
to discern the value of the key bit. 

The multiphoton component of the state can help Eve, 
but to keep our analysis simple, we will consider an at- 
tack on the source P that makes no use of the multi- 
photons. Eve performs an orthogonal measurement that 
distinguishes photon number less than two from photon 
number greater than or equal to two, and she discards 
the state if the latter outcome is found. (We will be 
interested in values of fi that are sufficiently small that 
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Eve would not benefit very much from taking advantage 
of the multiphotons.) Thus the states she retains are 
qutrits. She then performs a three-outcome POVM (un- 
ambiguous key distribution) to identify the key bit. The 
two conclusive outcomes of the POVM are projections 
onto the states: 

|04 = (-a - -|, 1 + -L, -L) , 

|1±> = w »''(-^ 1 + ^7i)' (6 » 

where N^o, N^i are normalization factors such that 



N~ 2 
V.o 
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(2 + V2) 
= (2 + y/2) 
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The vector 10^) is orthogonal to both of the two states 
|0) and |+) that indicate the key bit 0. Hence, if this 
outcome is found, Eve knows for sure that the key bit 
could not be and so must be 1. Similarly, the vector 
1 1- 1 ) is orthogonal to both of the states |1) and |— ) that 
indicate the key bit 1. 

The vectors lO -1 ) and ll -1 ") are nearly parallel for small 
a. To ensure that all three POVM elements are positive, 
we may choose 



E = -\l^){l A 



Bk = -\Q ± ){Q ± \, 



E 



DK 



/ — Eq — E\ . 



(8) 



(For small positive fi, the strength of the conclusive 
POVM elements can be pushed up slightly, but this is 
a small effect that we ignore.) Thus we find the prob- 
ability pa of a conclusive outcome (taking into account 
that Eve might detect multiphotons and reject the state) 



(0|£ |6) = (+|£ |+) 
1 1 
2 
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if the key bit is 0, and 
<l|£i|l) = <-|£i|-) 

1 1 

2 ~ 2V2 
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(9) 
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if the key bit is 1. We note that the conclusive outcome is 
slightly more likely when the key bit is 1 . This asymme- 
try can be traced to the property that the overlap |(+|0)| 
of the two signals that indicate the key bit is slightly 
larger than the overlap |(— 11)| of the two signals that 
indicate the key bit 1. (For other choices of the phase 
e lv that determines the plane in the Bloch sphere occu- 
pied by the BB84 signals, the asymmetry is substantially 



larger.) In any case, for either value of the key bit, the 
probability of a conclusive outcome obeys 



PD > (.146)/ie _M [1 + (.854)/x]~ 



(11) 



Now pd is the probability that Eve resends the sig- 
nal to Bob, and therefore it is the probability that Bob 
detects a signal, if his detector is perfectly efficient. If 
there were no interference by the eavesdropper (and no 
loss in the quantum channel connecting Alice and Bob), 
all non-vacuum signals would be detected, and then 
Pd = 1 — e _Ai = /1 + 0(p 2 ). If Eve uses the unambiguous 
key discrimination POVM, then of course po vanishes in 
the limit /1 — > 0, but what is noteworthy (and crucial for 
our argument) is that po vanishes linearly with fi. Thus 
for fi small, a fraction 77 w .146 of order one of all the 
non-vacuum signals sent by Alice are received by Bob. 

Having characterized Eve's attack when source P is 
used, we now consider the security analysis for source R, 
following [10]. We suppose that the source emits a mul- 
tiphoton signal with probability pm, that Bob detects a 
fraction of all the signals sent by Alice, and that Eve's 
attack is unrestricted. Of the signals that are received, 
the fraction that were emitted as multiphotons is no more 
than A = Pm/pd', the rest are single photon signals. 

We can prove security as in [5], by relating the BB84 
protocol to a protocol is which the key is generated by 
measuring noisy entangled pairs shared by Alice and Bob. 
Private key can be extracted at a positive asymptotic rate 
if it is possible to distill high fidelity entanglement from 
the noisy entanglement. Entanglement distillation will 
succeed if the noisy entangled pairs have a bit error rate 
and a phase error rate that are both sufficiently small. 
The bit error rate 6 is inferred directly from the verifica- 
tion test in the BB84 protocol; the phase error rate S p is 
also inferred, but by a less direct argument. 

If the source and detector used in the protocol were 
perfect, then a symmetry argument would suffice to show 
5 = S p . This symmetry is broken if the equipment is im- 
perfect, but it is still possible to bound the difference 
between the two error rates using an appropriate charac- 
terization of the imperfections. For the case where Bob 
has a perfect detector, but Alice's source sometimes emit 
multiphotons, it can be shown that 



\S P -S\< A/2 



(12) 



where A is the fraction of all the detected signals that 
were emitted as multiphotons. (The upper bound A 
found in [10] has been improved to A/2 in [16].) 

Now, the security proof in [5], which relates one-way 
privacy amplification to one-way entanglement distilla- 
tion using quantum error-correcting codes, does not ap- 
ply for a bit error rate above S = .110. But security 
of BB84 was established in [15] for a bit error rate as 
high as .189, by relating two-way privacy amplification 
to entanglement distillation with two-way communica- 
tion between Alice and Bob. The original argument in 
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[15] assumed a perfect source and detector. But the two- 
way entanglement distillation succeeds if both S and 5 P 
are below .189; therefore the argument can be applied to 
a protocol with imperfect equipment if there is a strong 
enough bound on \5 — S p \. 

If the bit error rate 5 is .146, then the two-way BB84 
protocol is secure for \S — S p \ < .189 — .146 = .043. And 
for a source that emits phase-randomized coherent states, 
it suffices that A < .086, where 

a = — < ( k! T ) 

Pd \ {.U6)/j,e-» [1 + (.854)^] _1 J 

= (3.42)/^ [1 + (.854)^] . (13) 

Thus A < .086, and the protocol is provably secure, for 
/i < .0240. The security proof still applies if Bob's de- 
tector, rather than being perfectly efficient, has an ef- 
ficiency that is independent of the basis in which the 
detector measures, where whether the detector fires is 
decided randomly, uninfluenced by the eavesdropper. 

We have shown, therefore, that the BB84 QKD proto- 
col is less secure using the phase-coherent source P than 
using the phase-randomized source R. Eve can exploit 
her knowledge of the phase of the signals emitted by the 
source P to implement a POVM that, when its outcome 
is conclusive, unambiguously identifies the key bit. But 
for the same bit error rate 8 w .146, signal strength fj, 
(< .0240), and signal detection rate po ~ .146/i, if the 
signals have random phases then Alice and Bob can gen- 
erate a final key about which Eve has negligible knowl- 
edge. 

This observation raises many questions. Can realis- 
tic sources be engineered so that each signal has a phase 
that the eavesdropper is unable to guess? Can "plug-and- 
play" systems, and other systems that use strong ancil- 
lary pulses, be protected from phase-coherent attacks? 
Can strong security results be proven if the phase is gov- 
erned, not by a uniform probability distribution, but by a 
distribution that is sufficiently broad? Finally, and most 
urgently, if Eve knows the phase of every signal emitted 
by the source in a BB84 protocol, is there any positive 
bit error rate S such that provably secure key can be 
generated at a positive asymptotic rate? 
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